Active Directory Recon 101 - OWASP Bay Area Presentation

6ca9b2dacea452cc0d050c20b213de47?s=47 Prashant
August 15, 2018

Active Directory Recon 101 - OWASP Bay Area Presentation

6ca9b2dacea452cc0d050c20b213de47?s=128

Prashant

August 15, 2018
Tweet

Transcript

  1. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Compliance, Protection & Business Confidence 15 August 18 Active Directory Recon 101 Prashant Mahajan
  2. • What is Active Directory (AD)? • Reconnaissance • Username

    Enumeration • Password Brute-Force • ADRecon 15 August 18 Agenda
  3. What is Active Directory (AD)? Sense of Security - 2018

    • Microsoft’s proprietary directory service for use in Windows domain networks • Usually referring to a specific service in AD • AD DS – Active Directory Domain Services • Provides centralised and standardised management of network resources (“objects”) • Users, Groups, Computers, Policies, etc • Relies on different protocols/technologies to provide: • Location lookup • Management of objects • Access – auth(n/z) https://blogs.technet.microsoft.com/ashwinexchange/2012/12/18/understanding-active-directory-for-beginners-part-1/ Fun with LDAP and Kerberos* in AD environments - Ronnie Flathers – @ropnop - Thotcon 2018 15 August 18
  4. Sense of Security - 2018 15 August 18

  5. • Building an Effective Active Directory Lab Environment for Testing

    (https://adsecurity.org/?p=2653) • Setting up an Active Directory Lab (https://www.psattack.com/articles/20160718/setting-up-an-active- directory-lab-part-1/) • Detection Lab (https://github.com/clong/DetectionLab) • AutomatedLab (https://github.com/AutomatedLab/AutomatedLab) • Invoke-ADLabDeployer (https://github.com/outflanknl/Invoke- ADLabDeployer) • Creating Real Looking User Accounts in AD Lab (https://www.darkoperator.com/blog/2016/7/30/creating-real-looking- user-accounts-in-ad-lab) • Create Lab User Accounts 2.0 (https://gallery.technet.microsoft.com/Create-Lab-User-Accounts- 844f7ba1) 15 August 18 Sense of Security - 2018 Building your own AD Lab
  6. • DHCP • DNS • LDAP Meta-Data • NetBIOS Sense

    of Security - 2018 Reconnaissance 15 August 18
  7. Sense of Security - 2018 DHCP - Wireshark 15 August

    18
  8. nmap –script broadcast-dhcp-discover 13 Jul 18 Sense of Security -

    2018 DHCP - Nmap
  9. Sense of Security - 2018 DNS - nslookup nslookup •

    set type=srv • _gc._tcp.<domain fqdn> • _ldap._tcp.<domain fqdn> • _kerberos._tcp.<domain fqdn> • _kpasswd._tcp.<domain fqdn> 15 August 18
  10. • dig -t SRV _gc._tcp.<domain fqdn> • dig -t SRV

    _ldap._tcp.<domain fqdn> • dig -t SRV _kerberos._tcp.<domain fqdn> • dig -t SRV _kpasswd._tcp.<domain fqdn> Sense of Security - 2018 DNS - dig 15 August 18
  11. nmap --script dns-srv-enum --script-args “dns- srv-enum.domain=‘<domain fqdn>’” Sense of Security

    - 2018 DNS - nmap 15 August 18
  12. Active Directory / Windows Network Enumeration Through DNS Service Locator

    Records • QID: 45023 Sense of Security - 2018 DNS - Qualys 15 August 18
  13. Sense of Security - 2018 LDAP Meta-data – LDAP Admin

    15 August 18
  14. ldapsearch -LLL -x -H ldap://dc1.sos.labs -b '' -s base '(objectclass=*)’

    • -L: Search results are display in LDAP Data Interchange Format detailed in ldif(5). A single -L restricts the output to LDIFv1. A second -L disables comments. A third -L disables printing of the LDIF version. The default is to use an extended version of LDIF. • -x: Use simple authentication instead of SASL. • -H: ldapuri • -b: searchbase • -s: {base|one|sub|children} Sense of Security - 2018 LDAP Meta-data ldapsearch http://www.openldap.org/software//man.cgi?query=ldapsearch&apropos=0&sektion=1&manpath=OpenLDAP+2.4-Release&format=html 15 August 18
  15. LDAP Information Gathering • QID: 45016 LDAP Crafted Search Request

    Server Information Disclosure • Plugin ID: 25701 Sense of Security - 2018 LDAP Meta-Data – Qualys/Nessus 15 August 18
  16. • NetBT || NetBIOS over TCP/IP || NBT • NetBIOS

    over TCP/IP is the network component that performs computer name to IP address mapping, name resolution (netbt.sys or vnbt.sys) • A legacy protocol used for backward compatibility Sense of Security - 2018 NetBIOS https://technet.microsoft.com/en-us/library/cc961921.aspx 15 August 18
  17. nbtstat –a <IP> Sense of Security - 2018 NetBIOS –

    nbtstat (Windows) 15 August 18
  18. nmblookup –A <IP> Sense of Security - 2018 NetBIOS –

    nmblookup (Kali) 15 August 18
  19. • nbtscan (Kali) • nbtscan (Windows http://sectools.org/tool/nbtscan/) Sense of Security

    - 2018 NetBIOS - nbtscan 15 August 18
  20. Protocol Port AD and AD DS Usage Type of traffic

    TCP 25 Replication SMTP TCP/UDP 53 User and Computer Authentication, Name Resolution, Trusts DNS TCP/UDP 88 User and Computer Authentication, Forest Level Trusts Kerberos UDP 123 Windows Time, Trusts Windows Time, NTP, SNTP TCP 135 Replication RPC, EPM UDP 137 User and Computer Authentication, NetLogon, NetBIOS Name Resolution UDP 138 DFS, Group Policy DFSN, NetLogon, NetBIOS Datagram Service TCP 139 User and Computer Authentication, Replication DFSN, NetBIOS Session Service, Net TCP/UDP 389 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP TCP/UDP 445 Replication, User and Computer Authentication, Group Policy, Trusts SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc Sense of Security - 2018 Active Directory Common Ports Used 15 August 18
  21. Protocol Port AD and AD DS Usage Type of traffic

    TCP/UDP 464 Replication, User and Computer Authentication, Trusts Kerberos change/set password TCP 636 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP SSL TCP 3268 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC TCP 3269 Directory, Replication, User and Computer Authentication, Group Policy, Trusts LDAP GC SSL TCP 5722 File Replication RPC, DFSR (SYSVOL) TCP 5985 WS-Management and PowerShell remoting (HTTP) WinRM TCP 5986 WS-Management and PowerShell remoting (HTTPS) WinRM TCP 9389 AD DS Web Services SOAP UDP 67 and 2535 DHCP (Note: DHCP is not a core AD DS service but it is often present in many AD DS deployments.) DHCP, MADCAP Sense of Security - 2018 Active Directory Common Ports Used 15 August 18
  22. Protocol Port AD and AD DS Usage Type of traffic

    TCP 49152-65535 Replication, User and Computer Authentication, Group Policy, Trusts RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS UDP 49152-65535 Group Policy DCOM, RPC, EPM Sense of Security - 2018 Active Directory Common Ports Used https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396 15 August 18
  23. • null session • Printers • Kerberos • Authenticated (normal/unprivileged

    user) - ADRecon Sense of Security - 2018 Username enumeration 15 August 18
  24. enum4linux -a <IP> Sense of Security - 2018 null session

    – enum4linux 15 August 18
  25. enum4linux –u <domain\username> -p <password> -a <IP> Sense of Security

    - 2018 Authenticated enum4linux 15 August 18
  26. rpcclient –U “” –N <IP> rpcclient –U <username> <IP> Sense

    of Security - 2018 null session - rpcclient 15 August 18
  27. Sense of Security - 2018 null session - rpcclient 15

    August 18
  28. • nmap (https://nmap.org/nsedoc/scripts/krb5-enum- users.html) nmap -p88 --script=krb5-enum-users --script- args krb5-enum-

    users.realm='<domain>',userdb=/root/usernames. txt <DC-IP> • Metasploit auxiliary/gather/kerberos_enumusers Sense of Security - 2018 Kerberos 15 August 18
  29. • SMB • RDP • Kerberos Sense of Security -

    2018 Password Brute-Force 15 August 18
  30. Metasploit • auxiliary/scanner/smb/smb_login Sense of Security - 2018 Password Brute-Force

    - Metasploit 15 August 18
  31. Sense of Security - 2018 Password Brute-Force - Metasploit 15

    August 18
  32. • Failed • Successful Sense of Security - 2018 Password

    Brute-Force - Metasploit 15 August 18
  33. • Generates a security event every failed attempt • Event

    ID 4625 “An account failed to log on” Sense of Security - 2018 Password Brute-Force - Metasploit 15 August 18
  34. • RDP ? • Extremely slow L Sense of Security

    - 2018 Password Brute-Force 15 August 18
  35. • Kerberos ? Sense of Security - 2018 Password Brute-Force

    15 August 18
  36. https://github.com/ropnop/kerberos_windows_scripts apt install heimdal-clients Sense of Security - 2018 Password

    Brute-Force 15 August 18
  37. • kerberos_windows_scripts by ropnop • Loops through a username list

    or a password list • runs kinit with the username and password • Generates a security event for every attempt • Event ID 4624 “An account was successfully logged on” • Generates a security event for every attempt if Account Logon: Audit Kerberos Authentication Service is configured • Event ID 4771 “Kerberos pre-authentication failed” with Failure Code 0x18 (bad password) for failed attempts. Sense of Security - 2018 Password Brute-Force https://github.com/ropnop/kerberos_windows_scripts 15 August 18
  38. Sense of Security - 2018 Password Brute-Force 15 August 18

  39. Sense of Security - 2018 Password Brute-Force 15 August 18

  40. ADRecon Demo https://github.com/sense-of-security/adrecon https://www.slideshare.net/prashant3535/adrecon-bh-usa-2018- arsenal-and-def-con-26-demo-labs-presentation 13 Jul 18 Sense of

    Security - 2018
  41. Sydney Level 8, 59 Goulburn Street Sydney NSW 2000 Melbourne

    Level 15, 401 Docklands Drive Docklands VIC 3008 Tel. 1300 922 923 Intl. +61 2 9290 4444 www.senseofsecurity.com.au Sense of Security Pty Ltd ABN 14 098 237 908 @ITSecurityAU Security, it’s all we do. Knowledge, Experience & Trust. Thank You! © 2002 – 2018 Sense of Security Pty Limited. All rights reserved. Some images used under license from Shutterstock.com or with permission from respective trademark owners. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher.